The draft Cybercrimes and Cybersecurity Bill has been published for public comment in South Africa. The draft bill in its current form imposes obligations on “electronic communications service providers” to inform its clients of cybercrime trends and to establish procedures to report such crimes.
The definition of an “electronic communications service provider” includes not only mobile networks, internet service providers and others providing electronic communications services. It also regulates “financial institutions” as defined in the Financial Services Board Act 1990 and “any entity who or which transmits, receives, processes or stores data on behalf of another person.”
The law will impose obligations on banks, pension funds, collective investment schemes, credit rating agencies and insurers. These entities do not fall within the regular meaning of the term “electronic communications service provider”. It would be prudent for any organisation which falls within the ambit of this definition to consider the impact of the proposed Bill and whether it will be in a position to fulfil the proposed obligations.
Clause 64 provides that an electronic communications service provider must:
- take reasonable steps to inform clients of cybercrime trends which may affect them;
- establish procedures to report cybercrimes; and
- inform its clients of measures which may be taken to safeguard against cybercrime.
The Bill also imposes obligations on providers to report offences to the National Cybercrime Centre (a structure within the South African Police Service, that will be established in terms of the law) and to preserve information which may be of assistance to law enforcement agencies.
An electronic communications service provider which fails to comply is liable to a fine of R10 000 for each day on which such failure to comply continues. Interested parties may want to comment on the Bill before 30 November 2015 because these proposed obligations are overbroad and non-specific.